Practical Packet Analysis: a review

Background: You may remember some time ago, I posted a review of Michael Lucas’s Network Flow Analysis. He’s written several BSDbooks and so I figured it was worth reading further, knowing that this network-specific book would be BSD-friendly. Also, he made it easier by sending me a copy.

The book: Another way to describe the book is “Here’s how Wireshark works.” It dives right in to network setup and the various parts of Wireshark. This makes for relatively dry reading at first – book descriptions of menu options is never as fun as actually clicking on the menus and getting results.

If you aren’t immediately familiar with the OSI network model, the book includes material on the lower layers of that model. It also talks about a number of real world scenarios – specifically on identifying speed issues and security monitoring.

As with most technical books, it works in part as narrative and in part as reference. There’s enough background material and procedure to get a relative newcomer started. The book also has enough detail that it’s worth coming back later to explore a new feature, or see how to solve a new problem.

My advice is to skim the book to get an idea of how Wireshark works, and then fire up Wireshark so you can see the actual live results. Then, go running back to the book to find out what it all means. The content matter is dry, but reading the text with a copy of Wireshark running will smooth out the process. I’d half-expect exercises at the end of every chapter to reinforce the steps being taken, though nobody ever voluntarily writes out homework. (I’m sure this will get a comment from someone about how much they enjoy solving random math puzzles. Good for you.)

This book is an excellent tool for any system administrator to gain useful troubleshooting skills. Those skills will look magical to anyone not familiar with the lower levels of how a network works.

The anecdote: Here is where I back up those statements on how important it is to use these network tools. Some years ago, I worked for the largest (though now defunct) power line networking service provider in the US. We had a Dell-manufactured home router device which just couldn’t acquire an IP address via DHCP on that power line network, but it worked anywhere else.

I was able to solve the problem by using Wireshark to watch the actual DHCP transaction. The router was receiving two DHCP ACK messages from the same device, which completely confused it. There was no way to identify this problem without looking directly at the activity on the wires (and reading RFC2131). It made me look heroic, which is a nice break from the usual.

Back to DragonFly: Wireshark is available as net/wireshark in pkgsrc. The later chapters on traffic types and common problems will be helpful in any case, even when the only tool handy is tcpdump. There’s a lot of overlap between the filtering expressions used in tcpdump and the ones in Wireshark, and the capture files are interchangeable.

Disclaimer: I didn’t get anything except a copy of the book. So, I’m either unbiased, or a horrible negotiator.